CVE-2026-24590
Missing Authorization in VideoWhisper Paid Videochat
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| videowhisper | paid_videochat_turnkey_site | to 7.3.23 (inc) |
| patchstack | wordpress_paid_videochat_turnkey_site_plugin | to 7.3.23 (inc) |
| patchstack | wordpress_paid_videochat_turnkey_site_plugin | 7.3.24 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability is a Missing Authorization issue that allows unauthenticated users to perform actions requiring higher privileges due to broken access control.
Such broken access control can lead to unauthorized access to sensitive data or functionality, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls to protect personal or sensitive information.
However, the provided information does not explicitly state the direct impact on compliance with these regulations.
Can you explain this vulnerability to me?
CVE-2026-24590 is a Broken Access Control vulnerability in the WordPress Paid Videochat Turnkey Site Plugin, versions 7.3.23 and below.
It occurs due to missing authorization checks, which allows unauthenticated users to perform actions that normally require higher privileges.
This means that users without proper permissions can exploit incorrectly configured access control security levels to access or perform restricted operations.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users to perform privileged actions on affected websites using the Paid Videochat Turnkey Site Plugin.
While the vulnerability is considered low severity with a CVSS score of 5.3 and is unlikely to be exploited individually, it poses a risk in mass-exploit campaigns targeting thousands of websites.
If exploited, it could lead to unauthorized access or manipulation of site features that should be restricted, potentially compromising the integrity of the site.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the WordPress Paid Videochat Turnkey Site Plugin (CVE-2026-24590), you should immediately update the plugin to version 7.3.24 or later.
If updating immediately is not possible, seek assistance from your hosting provider or developer to apply necessary patches or workarounds.
Consider enabling auto-update features provided by Patchstack to ensure the plugin remains up to date and protected against this and similar vulnerabilities.